Better than a WAF 🤝 No False Positives

Protect your Node.js apps at runtime – with Firewall

Automatically block critical injection attacks, introduce rate limiting for APIs, and monitor outbound traffic.

Set up in seconds · No config needed
One command to install
API discovery
Rate limiting
Runtime protection
99.9% less false positives

Open Core Alternative to

Datadog

AWS WAF

Cloudflare

Prevent OWASP Top 10 
& Zero Day threats on autopilot

Firewall shields your Node.js app from a wide array of common threats.

SQL & NoSQL injection

Attempts to manipulate database queries for malicious purposes (data theft, unauthorized access, etc.), including protection for different database flavors like MySQL, MongoDB, Postgres, and more.

Command injection

Attacks that inject and execute arbitrary system commands on your server through user input.

SSRF attacks

Attacks where an attacker manipulates a server to make unintended requests to internal or external resources, potentially gaining unauthorized access to access keys for cloud servers.

Path traversal

Attempts to access unauthorized files or directories on your server by manipulating input fields or file paths.

One command to install

Detect and block malicious user input automatically, with just 1 line of code.

down arrow

You can test Firewall in dry mode and verify it works, so you don’t break your app.

npm install --save-exact @aikidosec/firewall
or
yarn add --exact @aikidosec/firewall
and import Firewall to your
app.js
with just one line of code:
require('@aikidosec/firewall);
or
import '@aikidosec/firewall;

Supports your tech stack

MySQL

MongoDB

Postgres

TypeORM

Sequelize

Comparision with WAF

Firewall vs Traditional Web Application Firewalls (WAF)

Firewall
Traditional WAFs
Results
Minimal false positives/negatives
More false positive/negatives
Deployment
Fully embedded
Cloud-based
Performance
Low impact
+100ms latency
Installation
One command, installed in seconds
Complex initial setup
Maintenance
No rule updates
Needs constant updates
Testability
Test locally
Untestable, only in production
1

Fully embedded

Unlike WAFs, Firewall runs inside your app as a JS library.

No complex agents to deploy.

No extra infrastructure or hardware.

No impact on your performance.

2

Runs in the background

Firewall analyzes data on the fly and blocks attacks automatically.

No more updating rulesets

No constant monitoring

No extra follow-up actions

3

Stop attacks in real-time

Firewall detects threats as your application runs and stops attacks in real-time, before they ever reach your database. No more endless patching or worrying about new vulnerabilities. Just install it once, and it handles the rest.

4

Way less false positives & negatives

Firewall is smarter than simple blocklists. It knows the difference between a malicious command and legitimate user input, so you get less false alarms and more peace of mind.

Open-Core AppSec

Use on your own – or upgrade with Aikido

Firewall is a new product from Aikido Security, the no-nonsense security platform for devs. One central platform that shows devs what matters and how to resolve it, so they can get back to building.

Aikido leverages dozen of open-source packages under the hood. So, we decided to build Firewall open-core.

You can totally use Firewall on your own, without an Aikido account.

But here are some sweet extra features you’ll get, if you use Aikido:

Block users by ID or IP

Spot a suspicious IP or user ID? One click and they're gone. No coding required.

Simple rate limiting

Sick of bots and leaky API endpoints? Set up rate limiting rules to throttle suspicious traffic.

Dashboard overview

Need a clean overview of all the attacks Firewall detects and blocks?

down arrow

FAQ

Got a question that isn’t on this list?
Is Firewall compatible with various databases and third-party services?

Right now, Firewall plays nicely with popular databases like MySQL, MongoDB, and PostgreSQL, and is compatible with ORMs like TypeORM and Sequelize. We're always adding support for more like Python and Ruby. Have a specific service in mind? Let us know, and we'll prioritize it.

What is the performance impact of implementing Firewall in my application?

Honestly, it's tiny. We're talking minuscule overhead for most apps. We're obsessed with performance and constantly benchmark Firewall to make sure it stays lightning fast. Need hard numbers for your use case? Just run some tests based on our benchmarks.

It's open source, but what if I run into issues or have specific questions? Where can I get help?

You're not on your own. We have a growing community of developers and security folks using Firewall. Don’t hesitate to open a GitHub issue – we're committed to making this project a success, and that includes support.

How do I know Firewall is actually working? Can I monitor blocked attacks and get detailed reports?

Seeing is believing. Firewall logs blocked attacks with all the juicy details: what the attack looked like, where it came from, etc. We're working on dashboards and integrations to make this info even more accessible.

Monkey-patching sounds risky—will it break my app's functionality or create unforeseen conflicts?

Monkey-patching gets a bad rap. Done right, it's a clever and efficient way to add functionality. Aikido Firewall targets a very specific area of your code, monitoring all outgoing traffic to databases and 3rd party APIs. We've rigorously tested it to make sure it plays nice with common setups. We even tested with OpenTelemetry in the background, which didn't create any conflicts. Still worried? Try it in a test environment first.

Why does Firewall give me less false positives/negatives than WAF?

Traditional WAFs are like security guards at the gate. They only see what comes in, not what goes on inside your building (your app). Aikido Firewall is the security guard inside, watching both the front door AND how people move around once they're in. Because it sees the whole picture – the user input AND your app's database requests – it can tell the difference between a legitimate (but weird-looking) customer and a thief trying to be sneaky. Less false alarms, less real threats slipping through.

How can one tool autonomously block so many threats without impacting performance?

We get it. It sounds too good to be true. Aikido Firewall's magic is in three things:

1) it is a library inside your app,

2) it monitors both incoming user input and outgoing connections (to databases or 3rd party services)

3) it doesn't rely on giant rule lists. This laser focus lets it protect you with almost zero performance overhead.

Do I need to list Aikido as a subprocessor?

User tracking is fully optional and off by default. Should you choose to track users, and share personal identifiable information (PII) rather than just IDs, you will be required to list Aikido Security as a subprocessor.

Got a question that isn’t on this list?

We've implemented security best practices aligned with the highest standards.

Get started for free
No credit card required.
Set up in seconds • No config needed
Aikido dashboard